Aikido Security Ltd., a leading cybersecurity firm, recently disclosed what is being described as the largest npm supply chain compromise to date. Attackers injected malicious code into 18 popular packages, which are reusable blocks of JavaScript code published to the Node Package Manager registry. These packages provide common functionality, such as formatting text, connecting to databases, or handling user input, allowing developers to not have to write every aspect of a project from scratch.
The malicious code was found to be designed to hijack cryptocurrency transactions by monitoring browser application programming interfaces such as fetch, XMLHttpRequest and wallet interfaces such as window.ethereum, redirecting funds to attacker-controlled addresses. The breach was detected by Aikido within five minutes of publication and disclosed publicly within the hour, limiting potential damage despite the enormous download footprint of the affected packages.
The breach has raised concerns about the security of open-source ecosystems, with experts warning that attackers can exploit the trust built into these communities to carry out devastating attacks. Ensar Seker, chief information security officer at SOCRadar Cyber Intelligence Inc., described the incident as "a watershed moment in software supply chain security."
"The fear-based tactic of threatening to lock accounts by a specific deadline added urgency, increasing the chance of a successful compromise," Seker said. "It was not a random choice to target the developer of these packages. Package takeovers are now a standard tactic for advanced persistent threat groups like Lazarus, because they know they can reach a large amount of the world's developer population by infiltrating a single under-resourced project."
Ilkka Turunen, field chief technology officer at Sonatype Inc., pointed to the methodology of the attack and one particular group that has the knowledge to undertake such an attack. "It was not a random choice to target the developer of these packages," he said. "Package takeovers are now a standard tactic for advanced persistent threat groups like Lazarus, because they know they can reach a large amount of the world's developer population by infiltrating a single under-resourced project."